CVE-2021-43979

{"id": "CVE-2021-43979", "cveTags": [{"tags": ["disputed"], "sourceIdentifier": "[email protected]"}], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "[email protected]", "cvssData": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 3.9}]}, "published": "2021-11-17T19:15:09.220", "references": [{"url": "https://github.com/hkerma/opa-gatekeeper-concurrency-issue", "tags": ["Third Party Advisory"], "source": "[email protected]"}, {"url": "https://github.com/open-policy-agent/gatekeeper/releases", "tags": ["Patch", "Third Party Advisory"], "source": "[email protected]"}, {"url": "https://github.com/hkerma/opa-gatekeeper-concurrency-issue", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/open-policy-agent/gatekeeper/releases", "tags": ["Patch", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-670"}]}], "descriptions": [{"lang": "en", "value": "Styra Open Policy Agent (OPA) Gatekeeper through 3.7.0 mishandles concurrency, sometimes resulting in incorrect access control. The data replication mechanism allows policies to access the Kubernetes cluster state. During data replication, OPA/Gatekeeper does not wait for the replication to finish before processing a request, which might cause inconsistencies between the replicated resources in OPA/Gatekeeper and the resources actually present in the cluster. Inconsistency can later be reflected in a policy bypass. NOTE: the vendor disagrees that this is a vulnerability, because Kubernetes states are only eventually consistent"}, {"lang": "es", "value": "** EN DISPUTA ** Styra Open Policy Agent (OPA) Gatekeeper versiones hasta 3.7.0, maneja inapropiadamente la concurrencia, a veces resultando en un control de acceso incorrecto. El mecanismo de replicaci\u00f3n de datos permite que las pol\u00edticas accedan al estado del cl\u00faster de Kubernetes. Durante la replicaci\u00f3n de datos, OPA/ Gatekeeper no espera a que finalice la replicaci\u00f3n antes de procesar una petici\u00f3n, lo que podr\u00eda causar inconsistencias entre los recursos replicados en OPA / Gatekeeper y los recursos realmente presentes en el cl\u00faster. La inconsistencia puede ser reflejada m\u00e1s tarde en una omisi\u00f3n de la pol\u00edtica. NOTA: el proveedor no est\u00e1 de acuerdo con que se trate de una vulnerabilidad, porque los estados de Kubernetes solo son finalmente consistentes"}], "lastModified": "2024-11-21T06:30:08.037", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:openpolicyagent:gatekeeper:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9C999E1D-6B0A-4F3B-9000-63AE8570B6FE", "versionEndIncluding": "3.7.0"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}